Why is credit card information not stolen more often?

PCI DSS

The major reason for this is a decade long effort by the payment cards industry to limit the extent of such breaches by requiring everyone who handles payment card data to either (a) conform to a set of security practices and (usually) audit requirements, or (b) stop handling payment card data themselves and delegate it to someone who can handle this better.

You shouldn't underestimate the second part - while pretty much all sites handle their own user account data, the vast majority of sites (especially smaller ones) that accept credit card payments do not store credit card data in any way whatsoever; if they do want recurring payments without asking CC number every time, they instead store 'just enough' information to show the user (e.g. a partial card number) that this card is "remembered" plus a token issued by their bank/gateway/whatever that enables additional payments from this card to the same merchant - so these tokens are useless to an attacker.

While it's not 100% proof and there are many, many cases where PCI DSS is blatantly violated, it does mean a significant reduction in the number of vulnerable companies.

In the case of recently disclosed Yahoo data breach where 1bn user account information was stolen, it transpired that no credit card information was stolen because it was kept in a separate database in encrypted format.

Most organisations have rigid and robust methods to store credit card information, typically in a separate database and encrypted. This helps organisations to protect highly sensitive data against data breaches.